1. Technical Field
This invention relates to the field of privacy protection and, more particularly, to a system for protecting an individual's health information.
2. Description of the Related Art
The ability to provide the appropriate health care to an individual can depend on the health care provider having access to information regarding the patient, particularly including the patient's medical history. Recent advances in digital technologies have enabled health care systems and providers to store vast amounts of information regarding the patient's medical history. This information, in most cases, can be accessed almost instantaneously by health care providers. Additionally, communication networks can enable confidential information to be updated in a central location so that updated information can be accessed from a multitude of remote locations. Thus, the digital revolution and the advances in communication technology have laid the foundation for an infrastructure that gives health care providers access to updated confidential information.
While access to such information can greatly enhance the quality of health care provided to a patient, the amount of personal and confidential information available has caused concern regarding the confidentiality of the patient's private medical information. In reaction to a public outcry for the protection of health care information, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, was enacted on Aug. 21, 1996. Thereafter, the “Privacy Rule” was adopted to elaborate on national standards for safeguards to protect the confidentiality, integrity, and availability of electronically protected health information. The Privacy Rule protects all individually identifiable health information that is held or transmitted by a health care provider. Individually identifiable health information can be information, including demographic data, that relates to the individual's past, present or future physical or mental health or condition, and that identifies the individual or can be used to identify the individual, such as the patient's name, address, birth date, and Social Security Number.
Failure to timely implement these standards to protect such information may, under certain circumstances, trigger the imposition of civil or criminal penalties. For example, civil monetary penalties of $100 per failure can be imposed on entities that fail to comply with a Privacy Rule requirement.
While health care providers need to protect confidential information in order to comply with the Privacy Rule, the logistics of protecting confidential information must balance the protection of confidential information with the need of health care providers to have access to such information. Because many customary health care communications and practices play an important or even essential role in ensuring that individuals receive prompt and effective health care, such a balance must be delicately struck.
Additionally, present health care systems involve a great number of people to provide not only comprehensive health care to a patient, but also to ensure that patients are appropriately billed. Many of these persons do not need to know an individual's private health care information. For example, while a hospital helper may need to know to push the wheelchair of a patient to operating room A so that the patient can have surgery, the hospital helper does not need to know why the patient is having surgery. In stark contrast, it is apparent that a complete medical history should be readily available to the surgeon. Thus, individuals involved in a patient's health care may not need the same amount of access to the patient health care information.
Moreover, due to the nature of the communications and practices of the health care industry, as well as the various environments in which individuals receive health care, the measures incorporated should attempt to eliminate incidental disclosure of confidential information. For example, in a typical emergency room and/or waiting room, one patient may overhear a health care provider's confidential conversation with a patient, or may inadvertently glimpse at an emergency room sign-in sheet that likely contains the patient's name and reason for visiting the emergency room. While such communications may be necessary, health care providers now have a duty to place reasonable safeguards over the unnecessary dissemination of confidential patient information.